Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yns_sa
New Contributor

IPsec site to site Sophos Fortinet not established

Hi all, 

Does someone successfully setup IPsec vpn between Sophos and Fortigate. If somebody can post working configuration I would appreciate.

thank you all
19 REPLIES 19
ntaneja
Staff
Staff

Hi yns_sa

 

Please elaborate the issue you are facing in ipsec between fortigate and sophos?
Are you looking for document explaining config on devices OR you have done the required config and tunnel is not coming up or working as expected.

 

Thanks

seshuganesh
Staff
Staff

Hi Team,

 

Please execute the below commands in the fortigate firewall:

diag vpn ike log-filter dst-addr4 a.b.c.d (where a.b.c.d is the remote sophos public ip)

diag debug application ike -1

diag debug enable

 

Please try to make the tunnel up again, and then collect the logs.
Once you get required logs you can disable debug by executing this command "diag debug disable"

Please share output with us

sw2090
Honored Contributor

yeah logs would be good (thus even with them ipsec debugging sometimes is a pain in the a** [which is not fortinet's fault but more one of ipsec itself]).

Probably also a log of your sophos vpn might be helpful because it depends on which side the issue happens. If the error occurs on sophos side you might not see a clue of it in the FGT logs.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

yns_sa
New Contributor

hi ALL 

find attached all logs on fortinet and sophos

ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: created connection: 0x5519690 7 10.10.20.2->196.206.X.X:500.
ike 0:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queuefortinet event.PNGsophos error.PNG

Muhammad_Haiqal

Hi there,

I noticed below error:

ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation

Most probably the issue is on Phase2 subnet.
Please make sure both side, Fortigate and Sophos configured with same information. Avoid to use 0.0.0.0/0 segment as it may not "compatible" with Sophos to negotiation proper segment. 

haiqal
yns_sa

Mr @Muhammad_Haiqal 

I don't use 0.0.0.0/0, i maked the correct subnet on both sides.

yns_sa
New Contributor
nithincs
Staff
Staff

Hi yns_sa,

 

1. phase1 and phase2 ipsec proposal such as dh group, Authentication Encryption and key life is same on both end.
2. Run below sniffer command and see whether udpport 500 communication is happening between both the peers

 

fgt# dia sniffer packet any "host x.x.x.x and (port 500 or port 4500)" 4 0 l

 

Replace x.x.x.x with your remote peer ip.

If in case you are not seeing the reverse traffic from remote peer, please cross check whether udp port 500, 4500 and ESP packet are allowed b both the end ISP.

If there is a response, run the below debug and capture the ike debug logs.

 

diag vpn ike log-filter dst-addr4 x.x.x.x (where x.x.x.x is the remote sophos public ip)
diag debug application ike -1
diag debug enable

 

Please try to make the tunnel up again, and then collect the logs.
Once you get required logs you can disable debug by executing this command "diag debug disable"

Please share output with us

yns_sa
New Contributor

this is the output of diag vpn ike log-filter dst-addr4 x.x.x.x (where x.x.x.x is the remote sophos public ip)
diag debug application ike -1
diag debug enable

 

ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: created connection: 0x5519690 7 10.10.20.2->196.206.X.X:500.
ike 0:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue